Populations & Complexity

For most populations in nature, whether heterogeneous or not, increases in insecure but interconnected groups invariably draw attackers.[1] It’s no different in the digital world where interconnected systems are usually most protected at their intersecting boundaries with security controls that relatively diminish as one approaches individual units. This is a topology and an environmental construct that is representative of the vast majority of IT infrastructures and is certainly pervasive when speaking of end point devices such as workstations, mobile devices, and point of sale systems.

Exacerbating the issue of IT security relative to populations are the incentives that take the form of fame and money for those who choose the path of a blackhat. To be sure, there are other incentives, such as wishing to gain a competitive advantage through industrial espionage or fulfilling one’s desire to express an ideology through hacktivism. With that said, fame and money provide threat actors a much larger target pool, thus impacting a wider swath of industries and organizations. In any event, the solution to the security dilemma is an information assurance framework that most cybersecurity professionals are familiar with. This framework is known as “defense-in-depth” and it dictates that organizations commit a layered approach security.

Lately, it seems the concept of defense-in-depth has more often than not succumbed to the long standing issue of it being mostly reactive, especially given the increasing number of assets that IT security professionals are becoming responsible for. In a strategic sense, it tends to foster complacency, especially when coupled with a checklist mentality that permeates many IT security programs. As we approach populations made of entirely individual units, but related in function such as mobile devices and point of sale (POS) systems, the concept of security becomes more critical but less effective. This is borne out of the fact that end users inherently play a role in securing IT assets under their operational responsibility. Social engineering, spearfishing and other psychological ploys make the human element susceptible to threats. The latest Verizon Data Breach Investigations Report (VDBIR), a compilation and study of security incidents, is the perfect conduit to illustrate the population dilemma and the associated challenges of IT security.

In 2013, over 83 million records were found to be compromised. Not to be outdone, 2015 started out with the largest single data breach resulting in over 80 million compromised records. The numbers are astounding, but there is another point to consider. In addition to increases in population, we are also witnessing increases in complexity. Engineering feats in hardware and developments in software have produced evermore complex information systems. There is an implicit correlation between the complexity of systems and the required framework to sufficiently protect these systems. Bruce Schneier, one of the most respected information security professionals, published an article on his blog titled “A Plea For Simplicity: You can’t secure what you don’t understand”.[2] Although written more than 15 years ago, the article is still relevant and perfectly captures the complexity dilemma as it relates to the explosive growth in the deployment of various information technologies.

As populations increase so does the complexity of the interconnected systems. It’s a natural relationship since so many considerations need to be continually addressed to sustain a means to communicate, a means to maintain interoperability between systems, and a means to continually account for scalability. As we address all of those means, we invariably increase the complexity associated with security, hence a departure from a secure posture.

Of all the statistics provided by the VDBIR, one clearly stood out that highlighted the overwhelming means of how incidents were detected relative to insider threats. It was the victims or consumers that alerted the organizations, rather than detection by the organizations themselves. For web based attacks that were financially motivated, 74% of the actual detections of the attacks were attributed to the customer’s awareness and notification. Only 2% of the attacks were detected internally by compromised organizations themselves.[3] This is a startling revelation and certainly solidifies the point that consumers are sometimes cybersecurity’s “first responders”.

There is no certainty as to where the issues will end up relative to populations and interconnected complex systems. Given the innumerable challenges that organizations have in defending their networks, the consumer will perpetually be on the front lines of the cyber battle. Perhaps the battle will cause consumers to put pressure via market forces by choosing the most “secure” organizations to interact with. Perhaps consumers will give in and trade convenience for robust security. There is no telling what will happen but “it” had better happen fast, as populations and complexity are taking over…. it’s getting ugly out there.